Tech boffins: Spend gov money on catching cyber crooks, not on AV

The UK government should be spending more on catching cybercriminals instead of splurging taxpayers' money on antivirus software, tech boffins have said.

Blighty goes through around £639m a year trying to clean up after attacks or prevent threats – including £108m it spends on antivirus – but the country is only spending £9.6m on techy law enforcement, a University of Cambridge study found.

"Some police forces believe the problem is too large to tackle," Ross Anderson, professor of security engineering at the University of Cambridge’s Computer Laboratory, said in a canned statement.

"In fact, a small number of gangs lie behind many incidents and locking them up would be far more effective than telling the public to fit an anti-phishing toolbar or purchase antivirus software."

The Cabinet Office said it welcomed "this latest contribution to the debate on cybercrime".

"The government believes the threat is serious and needs to be tackled and that is why we have rated cyber as a Tier 1 threat. Raising awareness and building capacity to resist threats continues to be our focus," a spokesperson told The Reg in an emailed statement.

"That includes investing in law enforcement capability to detect and apprehend cyber criminals. But we also think it is important to make sure people have the information they need to take steps to protect themselves."

The study, which was started after a request from the Ministry of Defence, also said that the amount of money the UK was losing as a result of cybercrime was being exaggerated.

"For instance, a report (PDF) released in February 2011 by the BAE subsidiary Detica in partnership with the Cabinet Office’s Office of Cybersecurity and Information Assurance suggested that the overall cost to the UK economy from cyber-crime is £27 billion annually," the research said.

"That report was greeted with widespread scepticism and [was] seen as an attempt to talk up the threat; it estimated Britain's cybercrime losses as £3bn by citizens, £3bn by the government and a whopping £21bn by companies. These corporate losses were claimed to come from IP theft (business secrets, not copied music and films) and espionage, but were widely disbelieved both by experts and in the press."

Using figures ranging from 2007 to 2012, including some which are "extremely rough estimates" based on data or assumption for the reference area, the study reckoned that all the costs of cybercrime both direct and indirect came out at around £11.7bn.

UK.gov – Cybercrime is expensive

The Cabinet Office spokesman said that Detica was best placed to explain its own methodology, but still disagreed somewhat with the study's conclusions.

"The Cyber Security Strategy was clear that a truly robust estimate would probably never be established, but that the costs are high and rising," he said.

"That said, we think there are grounds for believing that the true cost is higher than the £11bn quoted by Cambridge University.

"For example, the authors say that they can't find any hard evidence of the cost of IP theft and have therefore concluded this doesn't impose any costs beyond the defensive measures they refer to elsewhere in the paper. However, there are suspected cases of IP theft in the public domain and the costs are not nil.”

Aside from differing opinions on the cost of cybercrime, the research team also reckoned that some existing meatspace crime was moving online and being tallied up as part of the cyber cost.

The study pointed out that fraud in the welfare and tax systems, which now often takes place online, is probably costing Brits a few hundred pounds a year on average while card and bank fraud cost a few tens of pounds a year per citizen.

However, what they call 'true cybercrime', scams that completely depend on the internet, are only costing a few tens of pence a year, while the cost of antivirus software can be hundreds of times that.

Basically, the indirect costs of folks trying to protect themselves from cybercriminals actually end up costing them more.

"Take credit card fraud," said Richard Clayton, expert in the econometrics of cybercrime in Cambridge’s Computer Lab. "Direct loss is clearly the monetary loss suffered by the victim.

"However, the victim might then lose trust in online banking and make fewer electronic transactions, pushing up the indirect costs for the bank because it now needs to maintain cheque clearing facilities, and this cost is passed on to society.

"Meanwhile, defence costs are incurred through recuperation efforts and the increased security services purchased by the victim. The cost to society is the sum of all of these," he explained.

The research team concluded that there should be less spent on antivirus and firewalls and other preventative measures and "an awful lot more" on catching and punishing the perpetrators.

The study (PDF, 346KB) is due to be presented at the 11th annual Workshop on the Economics of Information Security (WEIS), which takes place in Berlin on 25 and 26 June. ®